GitHub Actions recently updated ubuntu-latest to 22.04 [1], which now
defaults to nfttables (rather than iptables-legacy) [2]. The portmap
tests in this project are written with the expectation that expected
error message for one test is in the iptables-legacy format.
This commit updates the check to make it work for both the
iptables-legecy and iptables-nftables variants.
References:
[1]: 4aba37bd3b
[2]: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-22-04-lts
Signed-off-by: Emily Shepherd <emily@redcoat.dev>
This commit changes the order of substituting sysctl path to first handle
. to / change, before substituting the interface name.
This is needed as vlan interfaces have a . in the name, which should not
be changed.
Signed-off-by: mmirecki <mmirecki@redhat.com>
checkPorts would return nil rather than an error if the per-container
DNAT chain didn't exist, meaning CHECK would erroneously return
success rather than failure.
chain.check() already (correctly) checks that the chain exists, so
there's no need to do it separately before calling that anyway.
Signed-off-by: Dan Winship <danwinship@redhat.com>
This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin.
The supported values are `open` and `same-bridge`.
- `open` is the default and does NOP.
- `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2"
that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and
"DOCKER-ISOLATION-STAGE-2" rules.
e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is
connected to bridge `cni2`, the `same-bridge` ingress policy disallows
communications between `ns1` and `ns3`, while allowing communications
between `ns1` and `ns2`.
Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules.
The `same-bridge` ingress policy is expected to be used in conjunction
with `bridge` plugin. May not work as expected with other "main" plugins.
It should be also noted that the `same-bridge` ingress policy executes
raw `iptables` commands directly, even when the `backend` is set to `firewalld`.
We could potentially use the "direct" API of firewalld [1] to execute
iptables via firewalld, but it doesn't seem to have a clear benefit over just directly
executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the `portmap` plugin)
[1] https://firewalld.org/documentation/direct/options.html
This commit replaces the `isolation` plugin proposal (issue 573, PR 574).
The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 ,
but `same-network` was renamed to `same-bridge` then.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Check tableID not in use for every ipCfg
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes #581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
Since the CNI Spec bump to v1.0 the tuning plugin no longer updates the
mac address in the cni result for 0.4.0 or below configs. I don't think
this ever worked when the cni result was converted to a different version.
A test has been added to ensure it is working for all spec versions.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
This adds support to allow the tuning plugin to enable/disable the
allmulticast mode of the interface. When enabled it instructs the
network driver to retrieve all multicast packets from the network.
Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
Move default table routes which match the ipCfg config
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes #581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
Values changed by Tuning plugin should be changed only for pod, therefore should be reverted when NIC is being moved from pod back to host.
Fixes: #493
Signed-off-by: Patryk Strusiewicz-Surmacki <patrykx.strusiewicz-surmacki@intel.com>
conntrack does not have any way to track UDP connections, so
it relies on timers to delete a connection.
The problem is that UDP is connectionless, so a client will keep
sending traffic despite the server has gone, thus renewing the
conntrack entries.
Pods that use portmaps to expose UDP services need to flush the existing
conntrack entries on the port exposed when they are created,
otherwise conntrack will keep sending the traffic to the previous IP
until the connection age (the client stops sending traffic)
Signed-off-by: Antonio Ojea <aojea@redhat.com>
The e2e tests already covers both versions, and since the plugin is
meant to be used in chains, this will augment the scope of the plugins
it can be used with.
Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
When specified from the user, the VRF will get assigned to the given
tableid instead of having the CNI to choose for a free one.
Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
The new tests expand coverage, checking deletion, ip address handling,
0.4.0 compatibility, behaviour in case of multiple vrfs.
Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
This plugin allows to create a VRF with the given name (or use the existing
one if any) in the target namespace, and to allocate the interface
to it.
VRFs make it possible to use multiple routing tables on the same namespace and
allows isolation among interfaces within the same namespace. On top of that, this
allow different interfaces to have overlapping CIDRs (or even addresses).
This is only useful in addition to other plugins.
The configuration is pretty simple and looks like:
{
"type": "vrf",
"vrfname": "blue"
}
Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
This change allows providing an 'ipam' section as part of the
input network configuration for flannel. It is then used as
basis to construct the ipam parameters provided to the delegate.
All parameters from the input ipam are preserved except:
* 'subnet' which is set to the flannel host subnet
* 'routes' which is complemented by a route to the flannel
network.
One use case of this feature is to allow adding back the routes
to the cluster services and/or to the hosts (HostPort) when
using isDefaultGateway=false. In that case, the bridge plugin
does not install a default route and, as a result, only pod-to-pod
connectivity would be available.
Example:
{
"name": "cbr0",
"cniVersion": "0.3.1",
"type": "flannel",
"ipam": {
"routes": [
{
"dst": "192.168.242.0/24"
},
{
"dst": "10.96.0.0/12"
}
],
"unknown-param": "value"
},
"delegate": {
"hairpinMode": true,
"isDefaultGateway": false
}
...
}
This results in the following 'ipam' being provided to the delegate:
{
"routes" : [
{
"dst": "192.168.242.0/24"
},
{
"dst": "10.96.0.0/12"
},
{
"dst" : "10.1.0.0/16"
}
],
"subnet" : "10.1.17.0/24",
"type" : "host-local"
"unknown-param": "value"
}
where "10.1.0.0/16" is the flannel network and "10.1.17.0/24" is
the host flannel subnet.
Note that this also allows setting a different ipam 'type' than
"host-local".
Signed-off-by: David Verbeiren <david.verbeiren@tessares.net>
